Key distillation from quantum channels using two-way communication protocols 
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We provide a general formalism to characterize the cryptographic properties of quantum channels 
in the realistic scenario where the two honest parties employ prepare and measure protocols and 
the known two-way communication reconciliation techniques. We obtain a necessary and sufficient 
condition to distill a secret key using this type of schemes for Pauli qubit channels and generalized 
Pauli channels in higher dimension. Our results can be applied to standard protocols such as BB84 or 
six-state, giving a critical error rate of 20% and 27.6%, respectively. We explore several possibilities 
to enlarge these bounds, without any improvement. These results suggest that there may exist 
weakly entangling channels useless for key distribution using prepare and measure schemes. 



I. INTRODUCTION 

Quantum Cryptography, that is, Quantum Key Dis- 
tribution (QKD) followed by one-time pad, is one of the 
most important quantum information applications. The 
existing cryptographic methods using classical resources 
base their security on technical assumptions on the eaves- 
dropper, often called Eve, capabilities, such as finite com- 
putational power or bounded memory p). Contrary to 
all these schemes, the security proofs of QKD protocols, 
e.g. the BB84 protocol Q , do not rely on any assumption 
on Eve's power: they are simply based on the fact that 
Eve's, as well as the honest parties' devices are governed 
by quantum theory 0. Thus, well-established quantum 
features, such as the monogamy of quantum correlations 
(entanglement) or the impossibility of perfect cloning £|, 
make QKD secure. Actually, any possible quantum at- 
tack by Eve would introduce errors and modify the ex- 
pected quantum correlations between the honest parties, 
Alice and Bob. The amount of these errors can be esti- 
mated using public discussion, so the honest parties can 
judge whether their quantum channel can be used for se- 
cure QKD, or abort the insecure transmission otherwise. 

The monogamy of entangled quantum states (see 0) 
can be simply illustrated in the scenario where two dis- 
tant parties know to share a two-qubit maximally entan- 
gled state, the so-called ebit, 
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Since the state is pure, it cannot be correlated with a 
third eavesdropping party. So, Alice and Bob can safely 
map their ebit into a secret bit by just measuring in the 
computational bases (see, Fig. QJ). It is meant by se- 
cret bit a random bit shared by Alice and Bob that is 
uncorrelated to Eve, namely P(A, B, E) = P(A, B)P{E) 
and P(A = 0,B = 0) = P(A = 1,B = 1) = 1/2, where 
P(A, B, E) denotes the probability distribution describ- 
ing Alice, Bob and Eve's correlations. Then, a simple 
QKD protocol could consist of Alice locally preparing a 
state sending half of this state through the channel 

to Bob, and then measuring in the computational bases. 
However, any realistic channel between Alice and Bob is 



in general noisy, so the state sent by Alice interacts with 
the environment and is transformed into a mixed state, 
Pab- As a consequence of the noisy interaction with the 
environment, Alice and Bob measurement outcomes are 
no longer perfectly correlated. The honest parties then 
should know how to deal with errors. They should safely 
assume that Eve has the power to control all the envi- 
ronment, so all the errors are due to her interaction with 
the sent states: the larger the observed error rate, the 
larger Eve's information. 

Entanglement distillation protocols |(| offer a possible 
solution to the problem of errors or decoherence in the 
quantum channel. It is a technique that allows two sep- 
arate parties to transform by local operations and clas- 
sical communication (LOCC) many copies of a known 
entangled mixed state into a fewer number of pure ebits. 
These ebits can later be consumed to establish secret 
bits. However, entanglement distillation protocols are by 
far not feasible with present-day technology. This is be- 
cause they require the use of a quantum memory, a device 
able to store quantum states, and controlled coherent op- 
erations. Both techniques turn out to be experimentally 
very challenging. 

However, in order to establish secret bits, Alice and 
Bob do not necessarily have to go through entanglement 
distillation. A much more feasible family of protocols 
consist of the honest parties measuring their quantum 
states at the single-copy level and then applying classical 
distillation techniques to the obtained measurement out- 
comes. We denote these Single-copy Measurements plus 
ClAssicai Processing protocols as SIMCAP 8]. Actually, 
it is well known that in the case of SIMCAP protocols, 
the honest parties do not have to use entanglement at all 
for the correlation distribution Q. Indeed, Alice's prepa- 
ration of the entangled two-qubit state plus measurement 
can be replaced by the preparation of a one-qubit state 
that is sent trough the noisy channel to Bob, who later 
measures it. That is, any SIMCAP protocol in the en- 
tanglement picture is equivalent to a prepare and measure 
scheme 0, which is much more feasible from an applied 
point of view. The BB84 and the six-state 01 protocols 
constitute known examples of prepare and measure QKD 
schemes. 

Independently of the type of measurements or distilla- 
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FIG. 1: Schematic diagram for key distillation from quantum 
states: a secret key can be distilled either by entanglement dis- 
tillation plus measurement, which is an experimentally chal- 
lenging process, or by measurement plus classical processing 
of the outcomes, whose implementation is much more feasible. 



tion techniques employed in the protocol, a first and cru- 
cial step in any QKD scheme consists of a tomographic 
process by Alice and Bob to obtain information about 
their connecting quantum channel. By means of this pro- 
cess, Alice and Bob should conclude whether the secrecy 
properties of their channel are sufficient to run a QKD 
protocol. In the standard formulation, the cryptographic 
properties of quantum channels are referred to a specific 
protocol. For instance, a standard problem is to deter- 
mine the critical quantum bit error rate (QBER) in the 
channel such that key distillation is possible using one- or 
two-way distillation techniques using the BB84 protocol. 
However, it appears meaningful to identify and quantify 
the cryptographic properties of a quantum channel by it- 
self, independently of any pre-determined QKD protocol. 
Indeed, this is closer to what happens in reality, where 
the channel connecting Alice and Bob is fixed. There- 
fore, after the tomographic process, the two honest par- 
ties should design the protocol which is better tailored 
to the estimated channel parameters. In this sense, it is 
well known that no secure QKD can be established using 
entanglement-breaking channel 0, 0] , while the detec- 
tion of entanglement already guarantees the presence of 
some form of secrecy ^3|. Beyond these two results, lit- 
tle is known about which channel properties are necessary 
and/or sufficient for secure QKD. 

In the present work, we analyze the cryptographic 
properties of quantum channels when Alice and Bob em- 
ploy QKD schemes where (i) the correlation distribution 
is done using prepare and measure techniques and (ii) the 
key distillation process uses the standard one-way and 
two-way classical protocols. Indeed, these are the tech- 
niques presently used in any realistic QKD implementa- 
tion. It should be clear, then, that none of the protocols 
considered here require the use of entangled particles. 
However, for the sake of simplicity, we perform our anal- 
ysis in the completely equivalent entanglement picture. 
As it becomes clearer below, the problem then consists 
of identifying those quantum states that can be distilled 
into secret bits by SIMCAP protocols restricted to the 
known distillation techniques. A first step in this direc- 



tion has recently been given in 01 . There, a rather easily 
computable and powerful necessary condition for secure 
QKD is derived, which is shown to be sufficient against 
the so-called collective attacks (see below). In general, 
the derived necessary condition is more restrictive than 
the entanglement condition. In this work, we first red- 
erive the security condition of jl4j ] , improving the security 
analysis. Since collective attacks have been proven to be 
as powerful as general attacks |la | , our condition actually 
applies to any attack. We show how to apply this condi- 
tion to the standard BB84 and six-state protocols. Next, 
we explore several possibilities to improve the obtained 
security bounds. Remarkably, all these alternatives fail, 
which suggests the existence of non-distillable entangled 
states under general SIMCAP protocols. Then, we move 
to higher dimensional systems, also called qudits, and ex- 
tend the results to generalized Bell diagonal qudit chan- 
nels. The obtained security condition turns out to be 
tight for the so-called (d + 1)- and 2-bases protocol of 
Ref. 0. 

The article is organized as follows. Section ITU defines 
what we call realistic protocols. In section IIIII we in- 
troduce and classify several eavesdropping attacks. Ex- 
ploiting the connection between QKD and the de Finetti 
theorem established by Renner |l5j| . we can restrict the 
security analysis to the so-called collective attacks, where 
Eve applies the same interaction to each quantum state. 
Then, we briefly review some of the existing security 
bounds for the two most commonly used prepare and 
measure protocols, BB84 and six-state fsection flIID|) . In 
the next section, we derive the announced security condi- 
tion for qubit channels and apply it to the two mentioned 
protocols. We then show that neither pre-processing nor 
coherent quantum operations by one of the parties im- 
proves the obtained security bounds. In section IYlII we 
move to higher dimensional systems, extending the se- 
curity conditions to generalized Bell diagonal channels. 
Then, we apply this condition to the (d+ 1)- and 2-bases 
protocols of which can be understood as the natu- 
ral generalization to qudits of the BB84 and the six-state 
protocols, and prove the tightness for these protocols. Fi- 
nally, section IIXI summarizes the main results and open 
questions discussed in this work. Most of the technical 
details are left for the appendices. 



II. REALISTIC PROTOCOL 

There exist plenty of QKD protocols in the literature. 
Here, we restrict our considerations to what we call real- 
istic protocols where Alice prepares and sends states from 
a chosen basis to Bob, who measures in another (possi- 
bly different) basis. This establishes some classical cor- 
relations between the two honest parties. Of course this 
process alone is clearly insecure, since Eve could apply 
an intercept resend strategy in the same basis as Alice's 
state preparation, acquiring the whole information with- 
out being detected. Therefore, from time to time, Alice 
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and Bob should change their state preparation and mea- 
surements to monitor the channel and exclude this possi- 
bility. Alice and Bob announce these symbols to extract 
information about their channel, so these instances do 
not contribute to the final key rate. Indeed these symbols 
are waistcd in the tomographic process previously men- 
tioned. However, in the limit of large sequences, the frac- 
tion of cases where Alice and Bob monitor the channel 
can be made negligible in comparison with the key length, 
but still sufficient to have a faithful description of some 
channel parameters, such as the QBER |l2|. The states 
sent by Alice will be transformed into a mixed state be- 
cause of Eve's interaction. This decoherence will produce 
errors in the measurement values obtained by Bob. The 
security analysis aims at answering whether the observed 
decoherence in the channel is small enough to allow Alice 
and Bob distilling a secret key. We call these protocols 
realistic in the sense that they do not involve experi- 
mentally difficult quantum operations, such as coherent 
measurements, quantum memories or the generation of 
entangled particles. The establishment of correlations is 
done by just generating one-qubit states and measuring 
them in two or more bases. Additionally, one could think 
of including a filtering single-copy measurement on Bob's 
side. This operation is harder than a standard projective 
measurement, but still feasible with present-day technol- 
ogy M- 

The above scenario can be explained in the completely 
equivalent entanglement-based scenario 0, that turns 
out to be much more convenient for the theoretical anal- 
ysis. In the entanglement-based scheme, the information 
encoding by Alice is replaced by generating and measur- 
ing half of a maximally entangled state. That is, Alice 
first locally generates a maximally entangled two-qubit 
state and sends half of it to Bob through the channel. A 
mixed state pab is then shared by the two honest parties, 
due to the interaction with the environment controlled by 
Eve. Now, Alice and Bob measure in two bases to map 
their quantum correlations into classical correlations. For 
instance, if Alice and Bob measure in the computational 
bases, the QBER simply reads 



£Ai3 = (01|pAB|01) + (10|p j 4s|10). 



It can be imposed that Alice's local state cannot be modi- 
fied by Eve, since the corresponding particle never leaves 
Alice's lab, which is assumed to be secure. It has to 
be clear that the techniques of 9] imply the equivalence 
between SIMCAP protocols on entangled states and pre- 
pare and measure QKD schemes: the correlation distri- 
bution is, from the secrecy point of view, identical. This 
equivalence, for instance, is lost if one considers entangle- 
ment distillation protocols for QKD, where the particles 
are measured by the honest parties after applying coher- 
ent quantum operations. 
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FIG. 2: A tripartite pure state is prepared by Eve, who send 
two of the particles to Alice and Bob and keeps one. From 
Alice and Bob viewpoint the situation resembles a standard 
noisy channel. The honest parties perform measurements at 
the single copy level, possibly with some preliminary filtering 
step. Eve keeps her quantum states and can arbitrarily delay 
her collective measurement. 



A. Classical key distillation 

After the correlation distribution, either using prepare 
and measure or SIMCAP protocols, Alice and Bob share 
partially secret correlations to be distilled into the per- 
fect key. The problem of distilling noisy and partially 
secret correlations into a secret key has not been com- 
pletely solved. Recently, general lower bounds to the 
distillablc secret-key rate by means of error correction 
and privacy amplification using one-way communication 
have been obtained in |19j . In case the correlations are 
too noisy for the direct use of one-way distillation tech- 
niques, Alice and Bob can before apply a protocol using 
two-way communication. The obtained correlations after 
this two-way process may become distillable using one- 
way protocols. Much less is known about key distillation 
using two-way communication. Here we mostly apply the 
standard two-way communication protocol introduced by 
Maurer in [20|. also known as classical advantage dis- 
tillation (CAD). Actually, we analyze the following two 
slightly different CAD protocols: 

• CADI. Alice and Bob share a list of correlated bits. 
Alice selects N of her bits that have the same value 
and publicly announces the position of these sym- 
bols. Bob checks whether his corresponding sym- 
bols are also equal. If this is the case, Bob an- 
nounces to Alice that he accepts, so they use the 
measurement values (they are all the same) as a bit 
for the new list. Otherwise, they reject the N val- 
ues and start again the process with another block. 

• CAD2. Alice locally generates a random bit s. She 
takes a block of N of her bits, A, and computes the 
vector 

X = (X U --- ,X N ) (2) 
such that Ai + Xi — s. She then announces the 
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new block X through the public and authenticated 
classical channel. After receiving X, Bob adds it 
to his corresponding block, B + X, and accepts 
whenever all the resulting values are the same. If 
not, the symbols are discarded and the process is 
started again, as above. 

These protocols are equivalent in classical cryptogra- 
phy and in the completely general quantum scenario. 
Nevertheless, it is shown in section IIV CI that they are 
different in some particular, but still relevant, scenarios. 
In what follows, we restrict the analysis to key distillation 
protocols consisting of CAD followed by standard one- 
way error correction and privacy amplification. Thus, it 
is important to keep in mind that any security claim is re- 
ferred to this type of key-distillation protocols. Although 
these are the protocols commonly used when consider- 
ing two-way reconciliation techniques, their optimality, 
at least in terms of robustness, has not been proven. 



where H denotes the standard Shannon entropy. In this 
type of attacks, Eve's interaction can be seen as a sort of 
asymmetric cloning 23] producing two different approx- 
imate copies, one for Bob and one for her. This cloning 
transformation reads Ube ■ \® + )ab\E) — ► \^)abe where 
Pab = ^e\^){^\abe- It has been shown that in the 
case of two qubits, two honest parties can distill a secret 
key secure against any individual attacks whenever their 
quantum state pab is entangled Q . 

It is clear that to prove security against individual at- 
tacks is not satisfactory from a purely theoretical point of 
view. However, we believe it is a relevant issue when deal- 
ing with realistic eavesdroppers. Assume Eve's quantum 
memory decoherence rate is nonzero and the honest par- 
ties are able to estimate it. Then, they can introduce a 
delay between the state distribution and the distillation 
process long enough to prevent Eve keeping her states 
without errors. Eve is then forced to measure her states 
before the reconciliation, as for an individual attack. 



III. EAVESDROPPING STRATEGIES 

After describing Alice and Bob's operations, it is now 
time to consider Eve's attacks. With full generality, we 
suppose that Eve has the power to control all the en- 
vironment. That is, all the information that leaks out 
through the channel connecting Alice and Bob goes to 
Eve, so all the decoherence seen by Alice and Bob is intro- 
duced by her interaction. Following Ref . |14| , eavesdrop- 
ping strategies can be classified into three types: (i) in- 
dividual, (ii) collective and (iii) coherent. Once more, 
although most of the following discussion is presented in 
the entanglement picture, the same conclusions apply to 
the corresponding prepare and measure scheme. 

A. Individual attacks 

In an individual attack Eve is assumed to apply the 
same interaction to each state, without introducing cor- 
relations among copies, and measure her state right af- 
ter this interaction. In this type of attacks, all three 
parties immediately measure their states, since no one 
is supposed to have the ability to store quantum states. 
Therefore, they end up sharing classical-classical-classical 
(CCC) correlated measurement outcomes jU, described 
by a probability distribution P(A, B, E). In this case, 
standard results from Classical Information Theory can 
be directly applied. For instance, it is well known that 
the secret- key rate using one-way communication, K^, 
is bounded by so-called Csiszar-Korner bound , 

> I (A : B) — I (A : E). (3) 

Here I{A : B) denotes the classical mutual information 
between the measurement outcomes A and B. It reads 



B. Collective Attacks 

Collective attacks represent, in principle, an intermedi- 
ate step between individual and the most general attack. 
Eve is again assumed to apply the same interaction to 
each quantum state, but she has a quantum memory. In 
other words, she is not forced to measure her state after 
the interaction and can arbitrarily delay her measure- 
ment. In particular, she can wait until the end of the 
reconciliation process and adapt her measurement to the 
public information exchanged by Alice and Bob. After 
a collective attack, the two honest parties share N inde- 
pendent copies of the same state, p®g , where no correla- 
tion exists from copy to copy. Without losing generality, 
the full state of the three parties can be taken equal to 
\i,)% E , where 

\iI>)abe = {Ia®U B e)\<S> + )ab\E). (5) 

After a collective attack, and the measurements by Al- 
ice and Bob, the three parties share classical-classical- 
quantum (CCQ) correlations, described by a state 

Yy<A ® [b] ® [e a b], (6) 

a ,b 

where a and b denote Alice and Bob's measurement out- 
comes associated to the measurement projectors [a] and 
[b]. Throughout this paper, square brackets denote one- 
dimensional projector, e.g. [ip] — Note that 
[e a b] is not normalized, since |e a fc) = (ab\ip)ABE and 
p(a,b) = tr[e ab \. 

The following result, obtained in |19l |24| . is largely 
used in the next sections. After a collective attack de- 
scribed by a state like Alice and Bob's one-way dis- 
tillable key rate satisfies 



I(A : B) = H(A) - H(A\B), (4) 



K^, > I(A : B) — I(A : E). (7) 
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Here, the correlations between Alice and Bob's classi- 
cal variables are again quantified by the standard mu- 
tual information, I (A : B). The correlations between 
Alice's classical and Eve's quantum variables, A and E, 
are quantified by the Holevo quantity, 

I(A:E) = S(E)-S(E\A), (8) 

where S denotes the Shannon entropy, so S(E) — S(pe) 
and S(E\A) = J2 a P (a)S(p E \A = a). Actually the 
"same" equation (0 applies when Bob is also able 
to store quantum states and the three parties share 
classical-quantum-quantum (CQQ) correlations. In this 
case, both mutual information quantities between Al- 
ice's classical variable, A, and Bob's and Eve's quantum 
states, denoted by B and E, should be understood as 
Holevo quantities [l^. Notice the similarities between 
© and 0. Indeed, the obtained bounds represent a 
natural generalization of the CK-bound to the CCQ and 
CQQ correlations scenarios. 
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FIG. 3: Security bounds for QKD protocols using key dis- 
tillation techniques with one-way communication: based on 
the analogy between these techniques and quantum error cor- 
rection, the security bounds for the BB84 and the six-state 
protocols are 11% and 12.7% respectively. These bounds have 
later been improved by information-theoretic considerations 
up to 12.4% and 14.1%. The improvement is achieved using 
some classical pre-processing by one of the parties. 



C. General Attacks and the de Finetti Theorem 

Finally, one has to consider the most general attack 
where Eve can perform any kind of interaction. In this 
case, Alice and Bob cannot assume to share N copies of 
the same quantum state. Compared to the previous at- 
tacks, there did not exist nice bounds for the extractable 
key-rate under general attacks. However, very recently a 
dramatic simplification on the security analysis of QKD 
protocols under general attacks has been achieved by 
means of the so-called de Finetti theorem [l^. Indeed, 
Renner has proven that general attacks cannot be more 
powerful than collective attacks in any protocol that is 
symmetric in the use of the quantum channel. This pro- 
vides a huge simplification in security proofs, since by 
means of the de Finetti arguments (see for more 
details), Alice and Bob can safely assume to share N 
copies of a quantum state consistent with their tomo- 
graphic process, and then apply the existing bounds for 
this scenario. Note that the de Finetti theorem should 
also be employed if one wants to use entanglement dis- 
tillation as a key distillation technique. In what follows, 
then, we can restrict our analysis to collective attacks, 
without underestimating Eve's capabilities. 

D. Review of the existing Security Bounds 

Finally, we would like to summarize the existing se- 
curity bounds for the two most known QKD protocols, 
BB84 and six-state. These bounds are usually stated 
in terms of the critical QBER such that key distilla- 
tion is possible. Of course, these bounds depend on 
the type of key distillation techniques employed by the 
honest parties. Since the first general security proof of 
BB84 by Mayers [2{|, security bounds have been con- 
stantly improved. Using a quantum error-correction (of 



bit-flip and phase-inversion) description of classical one- 
way error-correction and privacy amplification, Shor and 
Preskill showed the general security of BB84 whenever 
QBER < 11% 26]. Later, Lo adapted their proof to 
6-state protocol obtaining a critical QBER of 12.7% [27j . 
More recently, Kraus, Renner, and Gisin have improved 
these values by introducing some classical pre-processing 
by the two honest parties, obtaining critical QBER's of 
12.4% for the BB84 and 14.1% for the six-state protocol 
[24|. More recently, the bound for BB84 has been im- 
proved up to 12.9% in Ref. [28$. On the other hand, the 
known upper bounds on the critical QBER are slightly 
higher than these lower bounds, so the exact value for 
the critical QBER remains as an open question. 



The honest parties however can apply CAD to their 
outcomes before using one-way key-distillation tech- 
niques and improve these bounds. The whole process 
can now be mapped into a two-way entanglement distil- 
lation protocol. Based on this analogy, Gottesman and 
Lo have obtained that secure QKD is possible whenever 
the QBER is smaller than 18.9% and 26.4% for the BB84 
and six-state protocol, respectively [2!j. Chau has im- 
proved these bounds up to 20.0% and 27.6% respectively 
|30| . The generalization of the formalism 24] to two-way 
communication has also been done by Kraus, Branciard 
and Renner |3l]]. We show in the next sections (see also 
[l4|) that, for larger QBER, no protocol consisting of 
CAD followed by one-way distillation techniques works. 
So, contrary to what happens in the case of one-way com- 
munication, there is no gap between the lower and up- 
per bounds for secure key distribution using the BB84 
and six-state schemes, under the considered reconcilia- 
tion techniques. 
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FIG. 4: Security bounds for QKD protocols using two-way 
followed by one-way communication techniques: based on the 
analogy between the two-way plus one-way communication 
and two-way entanglement distillation protocol, general secu- 
rity bounds of the BB84 and the six-state protocols are given 
by 18.9% and 26.4% respectively |29j . Later, Chau improved 
the error correction method and the bounds are moved to 
20.0% and 27.6% |H- In sections IV and V, we show that 
those bounds are tight. Note that the key distillability con- 
dition is stronger than the entanglement condition, which is 
25.0% and 33.3% for the BB84 and the six-state protocols. 



no key distillation is possible from separable states, so 
Alice and Bob abort their protocol if their measured data 
are consistent with a separable state p| . We can assume, 
if the state preparation is done by Alice, that her local 
state, pa, cannot be modified by Eve. In our type of 
schemes, this state is equal to the identity. Although our 
techniques can be used in the general situation, we mostly 
restrict our analysis to the case where Bob's state is also 
equal to the identity. This is likely to be the case in any 
realistic situation, where the channel affects with some 
symmetry the flying qubits. This symmetry is reflected 
by the local state on reception, i.e. pb = 1. In the qubit 
case, the fact that the two local states are completely 
random simply means that the global state pab is Bell 
diagonal, 

Pab = Ai[$i] + A 2 [$ 2 ] + A 3 [$ 3 ] + M$4], ( 10 ) 
where J^j Aj = 1, > 0, and 



IV. SECRECY PROPERTIES OF QUBIT 
CHANNELS 

After reviewing the main ideas and previous results 
used in what follows, we are in position of deriving our 
results. Consider the situation where Alice and Bob are 
connected by a qubit channel. Alice locally prepares a 
maximally entangled state of two qubits and sends half 
of it through the channel. Then, both parties measure 
the state. By repetition of this process, they can obtain a 
complete, or partial, characterization of their channel, up 
to some precision. Indeed, there exists a correspondence 
between a channel, T, and the state 

(1®T)|$+) = P AB- (9) 

Now, the parties agree on a pair of bases, that will later 
be used for the raw key distribution. They repeat the 
same process but now measure almost always in these 
bases. However, with small probability, they have to 
change their measurement to the previous tomographic 
process in order to check the channel. After public com- 
munication, they discard the asymptotically negligible 
fraction of symbols where any of them did not use the 
right basis and proceed with the key distillation. In 
what follows, we provide a security analysis of this type 
of schemes. Two important points should be mentioned 
again: (i) as said, these schemes can be easily trans- 
formed into a prepare and measure protocol, without 
entanglement and (ii) using de Finetti theorem, Alice 
and Bob can restrict Eve to collective attacks. In other 
words, they can assume to share N independent copies 
of the same state, p®g, that is, the channel does not in- 
troduce correlation between the states. The goal, then, 
consists of finding the optimal SIMCAP protocol for the 
state pab , or equivalently, the best prepare and measure 
scheme for the channel T. 

Generically, pab can be any two-qubit state. However, 
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define the so-called Bell basis. Or in other words, T is a 
Pauli channel. Pauli channels are very useful, as it will 
become clearer below, in the analysis of the BB84 and 
six-state protocols. 

It is also worth mentioning here that Alice and Bob 
can always transform their generic state pab into a Bell 
diagonal state by single-copy filtering operations. Actu- 
ally, this operation is optimal in terms of entanglement 
concentration. Indeed, it maximizes the entanglement 
of formation of any state p' AB cx (Fa <8 Fb)p(f\ <g> F B ) 
obtained after LOCC operations of a single copy of pab 
[32|. This filtering operation succeeds with probability 

tx(FA ® F B )p(F\ <g> F B ). If pab is already in a Bell- 
diagonal form, it remains invariant under the filtering 
operation. Alternatively, Alice and Bob can also map 
their state into a Bell diagonal state by a depolarization 
protocol, where they apply randomly correlated change 
of basis, but some entanglement may be lost in this pro- 
cess. In view of all these facts, in what follows we mainly 
consider Bell diagonal states. 

It is possible to identify a canonical form for these 
states. This follows from the fact that Alice and Bob 
can apply local unitary transformation such that 

Ai = maxAi, A 2 = minAi . (12) 

i i 

Indeed, they can permute the Bell basis elements by per- 
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forming the following operations 

T([* x ] [* 2 ]) = 2-^(1-^)0(1-^), 
T([$ 2 ] <-► [$ 3 ]) = 2- l {a x +a z )® (a x +a z ), 
T([$ 3 ]^[$ 4 ]) = 2^(1 + ia z )® (t-ia z ). (13) 

Once the state has been casted in this canonical form, Al- 
ice and Bob measure it in the computational basis. The 
choice of the computational bases by Alice and Bob will 
be justified by our analysis. Indeed, once a Bell-diagonal 
state has been written in the previous canonical form, 
the choice of the computational bases seems to maximize 
the secret correlations between Alice and Bob, although, 
in general, they may not maximize the total correlations. 

Before Alice and Bob' measurements, the global state 
including Eve is a pure state that purifies Alice and Bob's 
Bell diagonal state, that is, 

4 

m.ABE = J2^\^)E (W) 

i=i 

where Ij)^ define an orthonormal basis on Eve's space. 
All the purifications of Alice-Bob state are equivalent 
from Eve's point of view, since they only differ from a 
unitary operation in her space. After the measurements, 
Alice, Bob and Eve share CCQ correlations. In the next 
sections we study when these correlations can be dis- 
tilled into a secure key using the standard CAD followed 
by one-way distillation protocols. We first obtain a suf- 
ficient condition for securtiy, using the lower bounds on 
the secret-key rate given above, c.f. Q. Then, we com- 
pute a necessary condition that follows from a specific 
eavesdropping attack. It is then shown that the two 
conditions coincide, so the resulting security condition 
is necessary and sufficient, under the mentioned distil- 
lation techniques. Next, we apply this condition to two 
known examples, the BB84 and the six-state protocols. 
We finally discuss several ways of improving the derived 
condition, by changing the distillation techniques, includ- 
ing classical pre-processing by the parties or one-party's 
coherent quantum operations. 



A. Sufficient condition 

In this section we will derive the announced suffi- 
cient condition for security using the lower bound on the 
secret-key rate of Eq. (0. Just before the measurements, 
the honest parties share a Bell diagonal state (|10l) . This 

state is entangled if and only if X^=2 -\? ^ ^ls wn ich 
follows from the fact that the positivity of the partial 
transposition is a necessary and sufficient condition for 
separability in 2 x 2 systems [33J. When Alice and Bob 
measure in their computational bases, they are left with 
classical data ]AB(i,j G {0,1}) whereas Eve still 
holds a quantum correlated system \ei_j)E- The CCQ 
correlations they share are described by the state (up to 



normalization) 

Pabe oc ^2 [h3 ]ab ® [e^j]E, (15) 

i,3 

where Eve's states are 



Sojo) = 




v/A^|2) 


eo^) = 


^13) + 


s/Al|4> 


Sjo) = 


\/^|3>- 


s/Al[4> 


eTa) = 


n/a!|i> - 





and the corresponding states without tilde denote the 
normalized vectors. So, after the measurements, Alice 
and Bob map p®g, into a list of measurement outcomes, 
whose correlations are given by PAB{i,j), where 

Pab{i, i) = (ij\pAB\ij)- (17) 
This probability distribution reads as follows: 



A \ B 





1 





(l-€ AB )/2 


cab/2 


1 


£ab/2 


(l-e AB )/2 



Here, €ab denotes the QBER, that is, 

cab = (01|pab|01) + (10| Pj4s |10> = A 3 + A 4 . (18) 

Alice and Bob now apply CAD to a block of N sym- 
bols. Eve listens to the public communication that the 
two honest parties exchange. In particular, she has the 
position of the N symbols used by Alice in J3J), in case 
the honest parties use CADI or the TV-bit string X for 
CAD2. In the second case, Eve applies to each of her 
symbols the unitary transformation 

Ui = [1] E + (-l) Xl [2] B + [3} E + (-l) Xl [4] s . (19) 

This unitary operation transforms \eij)E into \e. s ,j)E 
where s is the secret bit generated by Alice. If Alice 
and Bob apply CADI, Eve does nothing. In both cases, 
the resulting state is 

pIbe = { ±=^-j:[s,sUB®[e s ,r N + 

s=0,l 

€ -f ^[ S , S + lUfl®[ es , s+ i]^, (20) 

s=0,l 

where is Alice-Bob error probability after CAD, 

eN =e% B + (l B e AB )"-{T^B-) ' (21) 

and the last inequality tends to an equality when — > 
oo. That is, whatever the advantage distillation protocol 
is, i.e. either CADI or CAD2, all the correlations among 
the three parties before the one-way key extraction step 
are described by the state 

We can now apply Eq. Q to this CQQ state. 
The probability distribution between Alice and Bob has 
changed to 
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A \ B 





1 





(l-ejv)/2 


ejv/2 


1 


ejv/2 


(l-ejv)/2 



where it can be seen that Alice and Bob have improved 
their correlation. The CAD protocol has changed the ini- 
tial probability distribution P(A, B), with error rate 6ab, 
into P (A,B), with error rate ejv- The mutual informa- 
tion between Alice and Bob I{A : B) is easily computed 
from the above table. I (A : E) can be derived from (|20ll . 
so, after some algebra, the following equality is obtained 



I (A : B) - I {A : E) = 1 - h(e N ) 



-(l-e N )h\ 



1 - A 



M 
eq 



where 



A™ 



A 



dif 



Ai — A2 
Ai + A2 
IA3-A4I 
A3 + A4 



- e N h 



|(eo,o|ei,i)| 
= |(ei,o|eo,i)|, 



a m 



(22) 



(23) 



h{x) — — xlog 2 x— (1— x) log 2 (l— x) is the binary entropy, 
and the subscript 'eq' ('dif') refers to the resulting value 
of Alice being equal to (different from) that of Bob. 

Let's compute this quantity in the limit of a large num- 
ber of copies, N >■ 1, where ejv, A eq , Ajif <C 1. It can be 
seen that in this limit 



I(A : B) 
I(A : E) 



l + e N log e N 

1 _ _i_A 2Ar 
In 4 eq 



(24) 



The security condition follows from having positive value 
of the Eq. which holds if 



|(eo,o|e M )| 2 > 



cb 



1-6B 



(25) 



More precisely, if this condition is satisfied, Alice and 
Bob can always establish a large but finite N such that 
Eq. H22fl becomes positive. Eq. I|25|l can be rewritten as 



(Ai + A 2 )(A 3 + A 4 ) < (A!-A 2 ) 2 



(26) 



Therefore, whenever the state of Alice and Bob satisfies 
the security condition l|25|) above, they can extract from 
Pab a secret key with our SIMCAP protocol. This gives 
the searched sufficient condition for security for two two- 
qubit Bell diagonal states or, equivalently, Pauli chan- 
nels. Later, it is proven that whenever condition i|25|) 
does not hold, there exists an attack by Eve such that no 
standard key-distillation protocol works. 

Condition (|25|) has a clear physical meaning. The r.h.s 
of 1|22|) quantifies how fast Alice and Bob's error probabil- 
ity goes to zero when N increases. In the same limit, and 
since there are almost no errors in the symbols filtered 
by the CAD process, Eve has to distinguish between N 



copies of |eo,o) and |ei,i). The trace distance between 
these two states provides a measure of this distinguisha- 
bility. It is easy to see that for large N 



trlleo.o^-Kiin 



= 2 v /l-|(eo,o|ei 4 }| 2JV 

« 2-|(e ,o|ei,i)| 2Ar . (27) 

Thus, the l.h.s. of l|22l) quantifies how the distinguisha- 
bility of the two quantum states on Eve's side after CAD 
increases with N. This intuitive idea is indeed behind 
the attack described in the next section. 

Once this sufficient condition has been obtained, we 
can justify the choice of the computational bases for the 
measurements by Alice and Bob when sharing a state 
(|10p . Note that the same reasoning as above can be ap- 
plied to any choice of bases. The derived security con- 
dition simply quantifies how Alice-Bob error probability 
goes to zero with N compared to Eve's distinguishability 
of the N copies of the states |eo,o) and |ei,i), correspond- 
ing to the cases a = b = and a = b = 1. The obtained 
conditions are not as simple as for measurements in the 
computational bases, but they can be easily computed us- 
ing numerical means. One can, then, perform a numerical 
optimization over all choice of bases by Alice and Bob. 
An exhaustive search shows that computational bases are 
optimal for this type of security condition. It is interest- 
ing to mention that the bases that maximize the classical 
correlations, or minimize the error probability, between 
Alice and Bob do not correspond to the computational 
bases for all Bell diagonal states (|10|l . Thus, these bases 
optimize the secret correlations between the two hon- 
est parties, according to our security condition, although 
they may be not optimal for classical correlations. 



B. Necessary condition 

After presenting the security condition (|25|l . we now 
give an eavesdropping attack that breaks our SIMCAP 
protocol whenever this condition does not hold. This 
attack is very similar to that in Ref. |34| . 

Without loss of generality, we assume that all the com- 
munication in the one-way reconciliation part of the pro- 
tocol goes from Alice to Bob. In this attack, Eve delays 
her measurement until Alice and Bob complete the CAD 
part of the distillation protocol. Then, she applies on 
each of her systems the two-outcome measurement de- 
fined by the projectors 



^ cq = [1]b + [2] E , F dil = [3] E + [4} E . 



(28) 



According to l|2(J|l . all N measurements give the same 
outcome. If Eve obtains the outcome corresponding to 
F cq , the tripartite state becomes (up to normalization) 



[00] 



AB 



[U]ab ® 



[ e i,iJ_E ■ 



(29) 



In order to learn sa, Alice's bit, she has to discriminate 
between the two pure states \eo o)® N and \ex 1)® . The 
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Security region 



Entanglement condition 




which is non-positive if 



FIG. 5: Graphical depiction of the security condition 1261 : 
the security region is defined by the intersection of the en- 
tanglement condition Ai > 1/2, the normalization condition 
Ai + A2 < 1, and the security condition l|26[l . 



minimum error probability in such discrimination is 



127V 



(30) 



Her guess for Alice's symbol is denoted by Se- On the 
other hand, if Eve obtains the outcome corresponding to 
i*dif, the state of the three parties is 



Mab ® [eo,i]% N + [10] AB ® [ei,o]l W - 



(31) 



The corresponding error probability e^n is the same 
as in Eq. P0|l. with the replacement |(eo,o|ei,i)| — > 
|(eo,il e i,o)|- Note that |(e ,o|ei,i)| > |<e ,i|ei,o)|. Eve's 
information now consists of Se, as well as the outcome 
of the measurement |JSHJ, te = {eq, dif}. It is shown in 
what follows that the corresponding probability distribu- 
tion P(sai Ss, (se, Te)) cannot be distilled using one-way 
communication. In order to do that, we show that Eve 
can always map P into a new probability distribution, 
Q, which is not one-way distillablc. Therefore, the non- 
distillability of P is implied. 

Eve's mapping from P to Q works as follows: she 
increases her error until e<jif = e e q- She achieves this 
by changing with some probability the value of se 
when te = dif. After this, Eve forgets te- The 
resulting tripartite probability distribution Q satisfies 
Q(sb, s e \sa) = Q(s B \s A ) Q(se\sa)- Additionally, we 
know that Q(sb\sa) and Q(se\sa) are binary symmet- 
ric channels with error probability es(= £w in (U ) and 
e oq in (|30|1 . respectively. It is proven in |20j that in such 
situation the one-way key rate is 



(33) 



Let us finally show that this inequality is satisfied for all 
values of N whenever the condition (|25[1 does not hold. 
Writing z = Ai + A2, we have 1/2 < z < 1, since the 
state of Alice and Bob is assumed entangled. Using the 
following inequality 




1 - z 



N 



< 



(1-Z 



yN 



(1 



\N ■ 



(34) 



h(e eq ) - h(e B ), 



(32) 



which holds for any positive N, the right-hand side of l|34() 
is equal to 63, whereas the left-hand side is an upper 
bound for e oq . This bound follows from the inequality 
(Ai — A 2 ) 2 /z 2 < (1 — z)/z, which is the negation of J2SJ|. 
That is, if condition (|25() is violated, no secret key can 
be distilled with our SIMCAP protocol. More precisely, 
there exists no N such that CAD followed by one-way 
distillation allows to establish a secret key. Since (|25|) is 
sufficient for security, the attack we have considered is in 
some sense optimal and the security bound f2"5|) is tight 
for our SIMCAP protocol. 

It is worth analyzing the resources that this optimal 
eavesdropping attack requires. First of all, note that Eve 
does not need to perform any coherent quantum opera- 
tion, but she only requires single-copy level (individual) 
measurements. This is because when discriminating N 
copies of two states, there exists an adaptative sequence 
of individual measurements which achieves the optimal 
error probability (|30|l |36j. However, what Eve really 
needs is the ability to store her quantum states after lis- 
tening to the (public) communication exchanged by Alice 
and Bob during the CAD part of the protocol. 



Inequivalence of CADI and CAD2 for 
individual attacks 



As we have seen, the two CAD protocols lead to the 
same security condition. This follows from the fact that 
Eve is not assumed to measure her state before the CAD 
takes place. Then, she can effectively map one CAD pro- 
tocol into the other by means of the reversible operation 
Ue- This is no longer true in the case of individual at- 
tacks. Interestingly, in this scenario, the two two-way 
distillation methods do not give the same security con- 
dition. As mentioned, although the study of individual 
attacks gives a weaker security, it is relevant in the case of 
realistic eavesdroppers. Moreover, we believe the present 
example has some interest as a kind of toy model illus- 
trating the importance of the reconciliation part for secu- 
rity. Recall that in the case of individual attacks, where 
Eve can neither perform coherent operations nor have a 
quantum memory, the security condition using CADI is 
the entanglement condition Ai > 1/2 8]. However, when 
the honest parties apply CADI plus one-way communi- 
cation, the security condition is <|25|l . This holds true for 
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two-qubit protocols, and remains open for the two-qudit 
protocols studied in the next sections [37| . 

Let us suppose that Alice and Bob apply CADI and 
consider the following individual attack. Eve knows that 
for all the instances passing the CAD protocol, Alice 
and Bob's symbols are equal with very high probability. 
Moreover, she knows that in all the position announced 
by Alice, Alice's symbol is the same. Therefore, from her 
point of view, the problem reduces to the discrimination 
of N copies of the two states |ej <). Thus, she has to apply 
the measurement that optimally discriminates between 
these two states. As mentioned, the optimal two-state 
discrimination |36j ] can be achieved by an adaptive indi- 
vidual measurement strategy. Therefore, Eve can apply 
this adaptive strategy to her states right after her indi- 
vidual interaction. Her error probability is again given 
by (|30fl . That is, although the attack is individual, the 
corresponding security condition is the same as for col- 
lective attacks. 

This iV-copy situation on Eve's space does not happen 
when Alice and Bob apply CAD2. Indeed, Eve maps 
CAD2 into CADI by applying the correcting unitary 
operation Ui after knowing the vector X used in CAD2. 
This is the key point that allowed her to map one situa- 
tion into the other above. This is however not possible in 
the case of individual attacks, where Eve is assumed to 
measure before the reconciliation part takes place. Un- 
der individual attacks, the security condition for CAD2 
is equivalent to the entanglement condition for Bell di- 
agonal states, as shown in Q. Therefore, the two CAD 
protocols, which have proven to be equivalent in terms 
of robustness against general quantum attacks, become 
inequivalent in the restricted case of individual attacks. 



V. BB84 AND SIX-STATE PROTOCOLS 

The goal of the previous study has been to provide a 
general formalism for determining the security of qubit 
channels under a class of realistic QKD protocols. Rel- 
evant prepare and measure schemes, such as the BB84 
and six-state protocol, constitute a particular case of our 
analysis. Indeed, the process of correlation distribution 
and channel tomography in these protocols is done by 
Alice preparing states from and Bob measuring in two 
(BB84) or three (six-state) bases. In this section, we 
apply the derived security condition to these protocols 
and compare the obtained results with previous security 
bounds. As explained in llll Dl a standard figure of merit 
in the security analysis of a given QKD protocol is given 
by the maximum error rate such that key distillation is 
still possible. For instance, in the case of one-way com- 
munication, the values of the critical error rates keep im- 
proving (see for the latest result in this sense) since 
the first general security proof by Mayers [25| . In the case 
of reconciliation using two-way communication, the best 
known results were obtained by Chau in 30]. It is then 
important to know whether these bound can be further 



improved. In what follows, it is shown that our necessary 
condition for security implies that Chau's bounds cannot 
be improved. In order to do that, then, one has to employ 
other reconciliation techniques, different from advantage 
distillation plus one-way standard techniques. Some of 
these possibilities are discussed in the next sections. 



A. BB84 protocol 

In the BB84 protocol 0, bits are encoded into two 
sets of mutually unbiased bases {|0), |+)} and {|1), |— )} 
respectively, where |±) = (|0) ± |l))/\/2. One can easily 
see that in the entanglement-based scheme, a family of 
attacks by Eve producing a QBER Q is given by the 
Bell-diagonal states (see also |3g) 

PAB = (l-2Q+x)[$ 1 ] + (Q-a;)[$ a ] + (Q-a;)[$a]+a:[#4], 

(35) 

since the QBER is 

Q = (01|p AB |01) + (10|/u B |10) 

= (+-\pab\ + -) + (- + \ P ab\-+) (36) 

and < x < Q. When Alice and Bob apply one-way 
communication distillation, the attack that minimizes Q) 
is x = Q 2 , and leads to the well-known value of QBER — 
11%, first obtained by Shor and Preskill in 26). The 
corresponding unitary interaction by Eve is equal to the 
phase-covariant cloning machine, that optimally clones 
qubits in an equator (in this case, in the xz plane). 

When one considers the two-way distillation techniques 
studied in this work, condition or (|2~6l . applies. 

Then, one can see that the optimal attack, for fixed 
QBER, consists of taking x = 0. Therefore, Eve's at- 
tack is, not surprisingly strongly dependent on the type 
of reconciliation employed. In the case of two-way com- 
munication, Eve's optimal interaction can also be seen 
as a generalized phase-covariant cloning transformation, 
which is shown in the Appendix I. Using this attack, 
the derived necessary condition for security is violated 
when QBER = 20%. This is precisely the same value 
obtained by Chau in his general security proof of BB84 
[30| . So, the considered collective attack turns out to be 
tight, in terms of robustness. Recall that the security 
bound against individual attacks is at the ent ang lement 
limit, in this case giving QBER = 25.0% @ The 
full comparison is depicted in the Fig. (@J. 

Note also that the state (|35fl with x = 0, associated to 
the optimal attack, does not fit into our canonical form 
for Bell diagonal states, since A2 is not the minimal Bell 
coefficient. This simply means that key distillation from 
this state using a SIMCAP protocol is still possible. Al- 
ice and Bob only have to measure in a different basis, 
namely in the y basis. That is, if Alice and Bob knew 
to share this state, or channel, and could prepare and 
measure states in the y basis, not used in the considered 
version of BB84, they would be able to establish a secure 
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Security against general attacks 



BB84 BB84 Six-state Six-state 

H ® — | ®— 

20.0% 25.0% 27.6% 33.3% 



Security against individual attacks [8] 

FIG. 6: Security bounds of the BB84 and the six-state pro- 
tocols against individual and collective attacks: When Eve is 
supposed to apply individual attacks, all entangled states are 
distillable to a secret key. Assuming general attacks, security 
bounds are 20.0% and 27.6%, respectively, for the BB84 and 
the six-state protocols. This means that non-distillable secret 
correlations may exist (see, the section VI). 

key. This channel is still useful for QKD using a prepare 
and measure scheme, although not using the considered 
version of BB84. In our opinion, this illustrates why the 
present approach, that aims at identifying secrecy prop- 
erties of channels without referring to a given protocol, 
is more general. 



B. Six-state protocol 

If a third mutually unbiased basis, in the y direction, 
is added to BB84, one obtains the so-called six-state pro- 
tocol. The information encoding is as follows: bit is en- 
coded on states {|0), |+), | +«)}, and 1 in { 1 1) , |— ), | — i)}, 
where | ± i) = (|0) ± i\l))/y/2 pjj. It is easy to see that 
an attack by Eve producing a QBER equal to Q is given 
by the Bell diagonal state 

Pab = (1 - |0)[#i] + §[$ 2 ] + |[*a] + §[*4]. (37) 

This attack actually corresponds to Eve applying the uni- 
versal cloning transformation. Contrary to what hap- 
pened for BB84, this attack is optimal for both types of 
reconciliation protocols, using one- or two-way commu- 
nication. 

Applying the security condition (|25|) . the security 
bound gives a critical QBER of Q = 27.6%. This value 
again coincides with the one obtained by Chau in his gen- 
eral security proof of j^flj for the six-state protocol. The 
present attack, then, is again tight. In the case of indid- 
ual attacks, the security bound Q is the entanglement 
limit Q = 33.3%. 



VI. CAN THESE BOUNDS BE IMPROVED? 

The previous section has applied the obtained secu- 
rity condition to two well-known QKD protocols. In the 
corresponding attack, Eve is forced to interact individ- 
ually and in the same way with the sent qubits. As 



discussed, the de Finetti results by Renner imply that 
this does not pose any restriction on Eve's attack. How- 
ever, Eve is also assumed to measure her states right 
after CAD, while she could have delayed her measure- 
ment, for instance until the end of the entire reconcilia- 
tion. In spite of this apparent limitation, the condition is 
shown to be tight, under the considered distillation tech- 
niques, for the two protocols. As it has been mentioned, 
the obtained bounds do not coincide with the entangle- 
ment limit. This raises the question whether prepare and 
measure schemes, in general, do attain this limit. Or in 
other words, it suggests the existence of channels that, 
although can be used to distribute distillable entangle- 
ment, are useless for QKD using prepare and measure 
techniques. Recall that a channel that allows to estab- 
lish distillable entanglement is secure: this just follows 
from combining the de Finetti argument with standard 
entanglement distillation. So, in this sense the channel 
indeed contains distillable secrecy. However, our results 
suggest that this secrecy is non-distillable, or bound, us- 
ing single-copy measurements. That is, this secrecy is 
distillable only if both parties are able to perform coher- 
ent quantum operations. Perhaps, the simplest example 
of this channel is given by l(3Tjl with Q > 27.6%, i.e. by 
a weakly entangling depolarizing channel. 

The aim of this section is to explore two possibilities to 
improve the previous security bounds. We first consider 
the classical pre-processing introduced in [24J. In this 
work, previous security bounds using one-way communi- 
cation protocols for BB84 and six-state protocols have 
been improved by allowing one of the honest parties to 
introduce some local noise. This noise worsens the cor- 
relations between Alice and Bob, but it deteriorates in 
a stronger way the correlations between Alice and Eve. 
Here, we study whether a similar effect can be obtained in 
the case of the considered two-way communication pro- 
tocols. In a similar way as in Ref. [24j . we allow one 
of the two parties to introduce some noise, given by a 
binary symmetric channel (BSC). In our case, however, 
this form of pre-processing does not give any improve- 
ment on the security bounds. Later, we study whether 
the use of coherent quantum operations by one of the 
parties helps. We analyze a protocol that can be un- 
derstood as a hybrid between classical and entanglement 
distillation protocol. Remarkably, this protocol does not 
provide any improvement either. In our opinion, these re- 
sults strengthen the conjectured bound secrecy of these 
weakly entangled states when using SIMCAP protocols 



A. Pre-processing by one party 

Recently, it has been observed that local classical pre- 
processing by the honest parties of their measurement 
outcomes can improve the security bounds of some QKD 
protocols [24[. For instance, Alice can map her mea- 
surement values X into another random variable U, and 
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this transforms the mutual information from I(X : B) 
into I(U : B). At the same time, I(X : E) changes to 
I(U : E). In general, this mapping makes the mutual in- 
formation of Alice and Bob decrease, but bounds on the 
secret key rate may improve, e.g. I(U : B) — I(U : E) > 
I(X : B) — I(X : E). Actually, by applying a simple 
BSC of probability q, where the input value is kept un- 
changed with probability 1 — q or flipped with probability 
q, Alice may be able to improve the one-way secret-key 
rate 0. Using this technique, the security bounds have 
been moved from 11% to 12.4% for the BB84 protocol 
and from 12.7% to 14.1% in the six-state protocol |24| . 
Here, we analyze whether a similar effect happens in the 
case of protocols consisting of two-way communication. 
Note that pre-processing is useless if applied after CAD. 
Indeed, recall that the situation after CAD for the at- 
tack of Section liV Bl is simply given by two independent 
BSC channels between Alice and Bob and Alice and Eve, 
where pre-processing is known to be useless. The only 
possibility left is that Alice and/or Bob apply this pre- 
processing before the whole reconciliation protocol takes 
place. 

As mentioned, Alice's pre-processing consists of a BSC 
channel, where her measurement value j is mapped into 
j and j + 1 with probabilities 1 — q and q, respectively. 
After this classical pre-processing, the state of the three 
parties is 



& ABE OC j}AB ® [Pi,j] 



where 



Pofi = (l-g)(l-eAB)[eo,o]+geAB[ei,o] 

p^i = (1 - q)e AB [e ,i] + q(l - £AB)[ei,i] 

p^o = q(l - eAB)[eo,o] + (1 - q)eAB[ei,a] 

Pm = <?eAs[eo,i] + (1 -<?)(!- eAs)[ei,i] 



(38) 



and e AB denotes the QBER of the original measurement 
data, i.e. the error rate before applying pre-processing. 
Again, the states with tilde are not normalized, so 



(!-<?)( 



1 - £AB 



CAB 



1 , 1 \ 6AB i f l ~ £AB \ 

Pi,i+i = g > 



Pi,i+l- 



Next, Alice and Bob apply two-way CAD to <y ABB - A 
new error rate is obtained after CAD. The rest of the 
distillation part, then, follows the same steps as in section 
V-A. 

We now compute the mutual information between the 
honest parties after CAD. The new error rate of Alice and 
Bob is introduced by the BSC above, and is expressed 
as u = tr ABE [a ABE (\0l) AB (0l\ + |10) AB (10|)] = (1 - 
q)e AB +q(l — £ AB )- For large N, the mutual information 
of Alice and Bob tends to, c.f. (|2"ljl . 
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FIG. 7: Considered classical pre-processing: Alice introduces 
some extra noise by permuting her classical variable with 
probability q. 



I P (A ;B)m1 + ( 



l-u> 



) 7V log( 



1 - u 



N 



In the same limit, Eve's state can be very well approxi- 
mated by 



1 



^«2°& )' 

since > After some patient algebra, one 

can see that the Holevo information of Alice and Eve 
channel is (see also Appendix II): 

I P {A : E) a 1 - ^( u |( e0)0 | ei)1 )| 2 + v\{e 0>1 \e lfi )\ 2 ) N 

where 

{l-q)(l-€ AB ) 
qe AB + (1 -q)(l ~ cab)' 

and u + v = 1. The case of q = (or equivalently, 
u = 1) recovers the initial mutual information I (A : E). 
Therefore, the security condition of this protocol is 



w|(eo,o|ei,i)| 2 + -u|(e ,i|ei, )| 2 > 



1-w 



(39) 



More precisely, whenever this condition is satisfied, there 
exists a finite N such that I P {A : B) - I P (A : E) > 0. 

The derived bound looks again intuitive. The r.h.s 
quantifies how Alice and Bob's error probability for the 
accepted symbols converges to zero when N is large. If 
one computes the trace distance between po,o and pi.i, 
as defined in Eq. Ij38(l . one can see that 

tr|p ,o - Pi,i\ ~ 2 - H(e ,o|ei,i)| 2 + uKeo.iJei.o}] 2 )^, 

(40) 

which gives the l.h.s. of (|39|l . This result suggests that 
the derived condition may again be tight. That is, it is 
likely there exists an attack by Eve breaking the security 
of the protocol whenever l|39|l is not satisfied. This attack 
would basically be the same as above, where Eve simply 
has to measure after the CAD part of the protocol. 

Our goal is to see whether there exist situations where 
pre-processing is useful. Assume this is the case, that is, 
there exists a state for which (I39|l holds, for some value 
of q, while (|25|l does not. Then, 



e AB ^ m v ,2 1 - w 



1 - eAB 



> |(eoo|e u )| 2 > 



u 1 — u> 



-H<eoi|eio)| 2 ). (41) 



After some simple algebra, one gets the inequality: 
— < 1 + |(e i|ei )| 2 . 

The r.h.s. of this equation is smaller than 2, and this 
implies that cab > 1/2. However, this contradicts < 
(.AB < 1/2, so we conclude that one-party pre-processing 
does not improve the obtained security bound. 

Notice that since the reconciliation part uses commu- 
nication in both directions, it seems natural to consider 
pre-processing by the two honest parties, where Alice 
and Bob introduce some noise, described by the prob- 
abilities qA and qs- In this case, however, the analyt- 
ical derivation is much more involved, even in the case 
of symmetric pre-processing. Our preliminary numerical 
calculations suggest that two-parties pre-processing may 
be useless as well. However, these calculations should be 
interpreted in a very careful way. Indeed, they become 
too demanding already for a moderate N, since one has 
to compute the von Neumann entropies for states in a 
large Hilbert space, namely p®^ and pff . Therefore, 
the detailed analysis of pre-processing by the two honest 
parties remains to be done. 

Before concluding, we would like to mention that pre- 
processing, before or after CAD, may help in improving 
the distillable secret-key rate if the initial rate without 
pre-processing is already positive (see for instance |15j). 
However, this improvement vanishes for large blocks and 
the obtained security bounds do not change. 

B. Bob's coherent operations do not improve the 
security bound 

In order to improve the security bound, we also con- 
sider the scenario where Bob performs some coherent 
quantum operations before his measurement. Thus, he 
is assumed to be able to store quantum states and ma- 
nipulate them in a coherent way, see Fig. 8. This is very 
unrealistic, but it gives the ultimate limit for positive 
key-rate using the corresponding prepare and measure 
protocol. We do not solve the problem in full generality. 
Here we consider the rather natural protocol where Bob 
applies the recurrence protocol used in entanglement dis- 
tillation. That is, he applies CNOT operations to N of 
his qubits and measures all but one. He accepts only 
when the results of these N — 1 measurements are zero 
and keeps the remaining qubit. Later Bob applies a col- 
lective measurement on all the accepted qubits. Alice's 
part of the protocol remains unchanged. 

After Alice has measured her states and announced the 
position of N symbols having the same value, Alice-Bob- 
Eve state reads 

PABE = [0]a ® + [1] A ® Mf (42) 

where |6e») = (i\ip) abe- Note that Alice, Bob and Eve 
now share CQQ correlations. Bob applies his part of the 
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FIG. 8: Quantum advantage distillation protocol: Alice per- 
forms single-copy measurement and processes the obtained 
classical outcomes. Bob keeps his quantum states on a quan- 
tum memory and performs coherent quantum operations. 

protocol and accepts. The resulting state turns out to be 
equal to, up to normalization, 

Pabe oc[0]«[|0)|e^) 8JV + |l)|e^I)® JV ] + 

[1]® [\0)\^of N + \l)\Kif N ]. (43) 

Since Bob is allowed to apply any coherent operation, 
the extractable key rate satisfies {7J|, where now both 
information quantities, I (A : B) and I (A : E), are equal 
to the corresponding Holevo bound. Of course I (A : E) 
has not changed. It is straightforward to see that one 
obtains the same bound for the key rate as for the state 
(|15|l . This follows from the fact that {ei^e^j) = 0, where 
i =/= j. Then, this hybrid protocol does not provide any 
advantage with respect to SIMCAP protocols. 

Recall that if the two parties apply coherent quantum 
operations, they can run entanglement distillation and 
distill from any entangled two-qubit state. Actually a 
slightly different protocol where (i) both parties perform 
the coherent recurrence protocol previously applied only 
by Bob, (ii) measure in the computational bases and (iii) 
apply standard one-way reconciliation techniques is se- 
cure for any entangled state. As shown, if one of the 
parties applies the "incoherent" version of this distilla- 
tion protocol, consisting of first measurement and later 
CAD, followed by classical one-way distillation, the crit- 
ical QBER decreases. 

VII. GENERALIZATION TO ARBITRARY 
DIMENSION 

In the previous sections we have provided a general for- 
malism for the study of key distribution through quan- 
tum channels using prepare and measure schemes and 
two-way key distillation. In the important case of Pauli 
channels, we have derived a simple necessary and suffi- 
cient condition for security, for the considered protocols. 
In the next sections, we move to higher dimension, where 
the two honest parties employ d— dimensional quantum 
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systems, or qudits. The generalization of the previous 
qubit scenario to arbitrary dimension is straightforward. 
Alice locally generates a d— dimensional maximally en- 
tangled state, 



1 d-l 



(44) 



measures the first particle of the pair, and sends the other 
one to Bob. Since the channel between Alice and Bob is 
noisy, the shared state will change into a mixed state 
Pab- As usual, all the noise in the channel is due to 
Eve's interaction. 

In what follows, we consider generalized Pauli chan- 
nels. For these channels, Eve introduces flip and phase 
errors, generalizing the standard bit-flip a x and phase- 
flip cr 2 operators of qubits. This generalization is given 
by the unitary operators 



d-i 



U m .n = ^ exp( — kn)\k + m)(k\ 



fe=0 



Thus, a quantum system in state p propagating through 
a generalized Pauli channel is affected by a U m> „ flip with 
probability p m>n , that is 

d (p) = ^2Pm,nU m , n pU^ jn . 

When applied to half of a maximally entangled state |$), 
the resulting state is Bell-diagonal, 

d-l d-l 

(1 <g> £>)($) = X)Pm,n|-B m ,„)(B m , n |, (45) 
m— n— 

where the states \B m ^ n ) define the generalized Bell basis 



\B m ,n) = (t®U m , n )\ 



d-l 

*> = ^=E e25ife "i fc >i fe 

^ d k=0 



The global state including Eve reads 



ABE 



EE 1 

rn—O n— 



E-> 



(46) 



(47) 



where (? m n = p m ,n and {|m,n)} defines a basis. 

In the next lines, we derive a security conditions for 
these channels when the two honest parties measure in 
the computational bases. We restrict to the computa- 
tional bases for the sake of simplicity, although the main 
ideas of the formalism can be applied to any bases, and 
then numerically optimized. We then generalize the pre- 
vious eavesdropping attack. Contrary to what happened 
in the qubit case, we are unable to prove the tightness of 
our condition in full generality using this attack. 



We then apply the derived security condition to the 
known protocols in <i-dimensional systems, such as the 2- 
and (d+ l)-bases protocols. These protocols can be seen 
as the natural generalization of the BB84 and the six- 
state protocols to higher dimension [16j. Exploiting the 
symmetries of these schemes, we can prove the tightness 
of our security condition for these protocols. In the case 
of the (d+ l)-bases protocol, some security bounds using 
two-way communication have been obtained by Chau in 
[iof . Here, we obtain the same values, therefore proving 
that they cannot be improved unless another reconcil- 
iation protocol is employed. Moreover, in the case of 
2-bases protocol, we derive the same security bound as 
in |4l| . Thus, again, another reconciliation protocol is 
necessary if the bound is to be improved. 



A. Sufficient condition 

After sending half of a maximally entangled state 
through the Pauli channel, Alice and Bob share the state 



Pab — y^^Pm,n\B m ^ n ) (B„ 



where the probabilities p m . n characterize the generalized 
Pauli channel. After measuring in the computational 
bases, the two honest parties obtain correlated results. 
We denote by F, fidelity, the probability that Alice and 
Bob get the same measurement outcome. It reads 



d-l 



F = J2( kk \PAB\kk) =]T 



P0,n- 



fe=0 



In a similar way as for the qubit case, we introduce a 
measure of disturbance for the d — 1 possible errors. De- 
note Alice's measurement result by a. Then, Bob obtains 
a + j, with probability 



d-l 



D 3 = Y p ( A = a,B = a 



■3 = 



a=0 



E 

n=0 



Pj,n- 



The total disturbance is defined as 



D 



(48) 



Of course, Dq = F. Notice that all the Dj can be taken 
smaller than F, without loss of generality. Indeed, if 
this was not the case, the two honest parties could apply 
local operations U m , n to make the fidelity F larger than 
any other Dj. Note also that the errors have different 
probabilities Dj. 

We now include Eve in the picture, the resulting global 
state being (|47|l . As for the qubit case, Eve's interaction 
by means of the Pauli operators can be formulated as 
an asymmetric 1 — > 1 + 1 cloning transformation |23| . 
In what follows, and again invoking the de Finetti argu- 
ment, it is assumed that Alice, Bob and Eve share many 
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copies of the state (|47ll . After the measurements by Alice 
and Bob, the quantum state describing the CCQ corre- 
lations between the three parties is 



d-l d-l 

PABE OC 2_j *^2l a ifl}AB ® [<£3\e- 

0=0/3=0 



(49) 



Eve's states are 



d-l 
^ t „=0 



d-l 



\e a ,f3) 



r^r Y\ C0- a>n e 2 " an \P - a, n) 

\/ U 0-cc n=0 



(50) 



where the algebra is modulo d and (3 ^ a. As above, the 
states with tilde are not normalized, 



= VFe 



\e a ,p) = \/D /3 _ a \e a ^}. 

Note that (e a> p\e Xj y) = whenever j3 — a ^ y — x, so 
Eve can know in a deterministic way which error (if any) 
occurred between Alice and Bob. 

After the measurements, Alice and Bob have a list 
of correlated measurement outcomes. They now ap- 
ply CAD. First, Alice locally generates a random vari- 
able, sa, that can take any value between and d — 1 
with uniform probability. She then takes N of her 
symbols (ai,-- - , otp?) and announces the vector X = 
{X±, • • • , A/v) such that Xj — s — ctj. Bob sums this vec- 
tors to his corresponding symbols (/3i, • • • , /3jv). If the N 
results are equal, and we denote by sb the corresponding 
result, he accepts sb- It is simple to see that Bob accepts 
a symbol with probability p a k — F N + S j=i Dj 7 . After 
listening to the public communication used in CAD, Eve 
knows (Xi, • • • , Xn). As in the previous qubit case, she 
applies the unitary operation: 

d-l d-l 

U E = X)X> 35iX H*>- m ] (51) 

m=0 1=0 

This unitary operation transforms Eve's states as follows, 

N N 



u 



E 



\ e « t ,Pj) 



3=0 



3=0 



As above, this operation makes Alice, Bob and Eve's 
state independent of the specific vector used for CAD. 
The resulting state reads 



d-l 

E 



[SA, SB_ 



AB 



J s A -s B lE 



(52) 



up to normalization. As above, the goal is to see when it 
is possible to find a finite N such that the CCQ correla- 
tions of state 1521) provide a positive key-rate, according 
to the bound of Eq. . 



The new disturbances £)'., j = 1, . 



CAD protocol are equal to 



Df 



fc=0 



N 



< 



D, 



N 



1, after the 



(53) 



where, again, the last inequality tends to an equality sign 
for large N. The mutual information between Alice and 
Bob is 

pN pN d ~ l 

I (A : B) = log d + log + V £>;• log D'. . (54) 

Pok Pok ~[ 

For large N, this quantity tends to 

JV 



I (A : B) = log d — A 



log-f +o«%n 



where D m = max^ Dj for j G {1 , • • ■ , d — 1}. 

Let us now compute Eve's information. Again, since 
Alice and Eve share a CQ channel, Eve's information is 
measured by the Holevo bound. For very large A, as 
in the case of qubits, we can restrict the computation of 
x(A : E) to the cases where there are no errors between 
Alice and Bob after CAD. So, Eve has to distinguish 
between N copies of states (e^fe). Thus, in this limit, 
X (A : E) w S(p E ), where 



k 



(55) 



Denote by A v , with r\ = 0, . . . , d — 1, the eigenvalues of 
Pe- As shown in Appendix III, one has 



A, 



1 d-l d-l 
fc=0 k' =0 



JV 



Decomposing the eigenvalue A v into the term with k = k 

and with k ^ k , we can write A n = (1 + xi t N) /d)/d, 
where 



fc^fe' 



e k,k\ e k' ,k' 



(56) 



1 A ' is real s ; """ v> X ' 

-l Y (N) 



Note that X^ is real since X v 



d 2 A n — d and A v 



is real, and Y] A^ = because of normalization. 

Moreover, goes to zero when N increases. Using 

the approximation log(l + x) ~ x/ In 2 valid when 
we have 



E^ ^g^i 



(JV) 



= logd 



dln2 



n=o 



e k,k\ e k' ,k' 



2/V 



k^k' 
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As above, the security condition follows from the com- 
parison of the exponential terms in the asymptotic ex- 
pressions I (A : B) and x(^4 : E), having 



max.\{e k ,k\e k ' k > 

k^k 



,2 D J 

\ > max — 
i F 



(57) 



This formula constitutes the searched security condition 
for generalized Bell diagonal states. Whenever l(57l) is 
satisfied, there exists a finite N such that the secret-key 
rate is positive. In the next section, we analyze the gen- 
eralization of the previous attack for qubits to arbitrary 
dimension. 



B. Eavesdropping attack 

We consider here the generalization of the previous 
qubit attack to arbitrary dimension. Unfortunately, we 
are unable to use this attack to prove the tightness of 
the previously derived condition, namely Eq. 1(5711 . in 
full generality. However, the techniques developed in this 
section can be applied to standard protocols, such as the 
2- and d + 1-bases protocol. There, thanks to the sym- 
metries of the problem, we can prove the tightness of the 
security condition. 

The idea of the attack is the same as for the case of 
qubits. As above, Eve measures after the CAD part of the 
protocol. She first performs the d-outcome measurement 
defined by the projectors 



M. 



cq 



(58) 



where j ^ 0. The outcomes of these measurement are de- 
noted by te- Using this measurement Eve can know in a 
deterministic way the difference between Alice and Bob's 
measurement outcomes, sa and sb- If Eve obtains the 
outcome corresponding to M eq , she knows the tripartite 
state is (up to normalization) 



d-l 

E 

x=0 



xx]ab &> [e. 



xx\ e 



(59) 



Now, in order to learn sa, she must discriminate between 
the d pure states \e xx )® N . Due to the symmetry of these 
states, the so-called square-root measurement(SRM) [ZM 
|4?| is optimal, in the sense that it minimizes the error 
probability (see Appendix IV for more details). She then 
guesses the right value of sa with probability 



jjsuccess 



1 

d? 
1 

rf2 




ro| e 0,0. 



N 



(60) 



where 



d-l 



(61) 



Yq N ' being real. Note that Y^" ' tends to zero for large 
N. The error probability reads e oq = 1 



(AO 



Tjsuccess 
cq 



If Eve obtains the outcome corresponding to Mj after 
the first measurement, she knows that the three parties 
are in the state (up to normalization) 



^2[x,x + J]ab ® [ex,x+j]% ! 



x=0 

Eve again applies the SRM strategy, obtaining 

2 



P 



success 



where 



U,*0 _ 



'/ 



1 

7p 



E 



d-l 



ri=0 



'I 



(62) 



(63) 



'in, m+i I &Q,j) 



(64) 



^success 



the associated error probability being ej = 1 — Pj 

As a result of this measurement, Alice, Bob 
and Eve share the tripartite probability distribution 
P(sa, sb, (se,Te)), where {se,te) represents Eve's ran- 
dom variables, te {se) being the result of the first (sec- 
ond) measurement. For each value of Te, Eve knows the 
difference between Alice and Bob's symbol and the er- 
ror in her guess for Alice's symbol. It would be nice to 
relate the distillation properties of this tripartite proba- 
bility distribution to the derived security condition 157(1 . 
as we did in the qubit case. Unfortunately, we are at 
present unable to establish this connection in full gener- 
ality. Actually, we cannot exclude that there exists a gap 
for some Bell diagonal states. However, as shown in the 
next section, the considered attack turns out to be tight 
when applied to standard protocols, such as the 2- and 
d + 1-bases protocols. 

Let us conclude with a remark on the resources Eve 
needs for this attack. After applying the same unitary 
operation on each qudit, Eve stores her quantum states 
in a quantum memory. After CAD, she measures her 
corresponding block of N quantum states. Recall that in 
the qubit case, Eve does not need any collective measure- 
ment, since an adaptative individual measurement strat- 
egy achieves the fidelity of the optimal collective mea- 
surement |36). In the case of arbitrary dimension, it is 
unknown whether there exists an adaptative measure- 
ment strategy achieving the optimal error probability, at 
least asymptotically, when N copies of d symmetrically 
distributed states are given [37j |. 
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VIII. EXAMPLES : 2- AND (d+ 1)-BASES 
PROTOCOLS IN HIGHER DIMENSIONS 

We now apply the previous security condition to spe- 
cific protocols with qudits, namely the so-called 2- and 
(d+ l)-bases protocols ^(J, which are the generalization 
of the BB84 and the six-state protocols to higher dimen- 
sion. In the first case, Alice and Bob measure in two 
mutually unbiased bases, say computational and Fourier 
transform, while in the second, the honest parties mea- 
sure in the d + 1 mutually unbiased bases |43 • 

The optimal cloning attack for these protocols gives a 
Bell diagonal state 145(1. However, due to the symmetries 



of the protocols, the coefficients c„ 
that 



or p n 



( v x 

x y 



y 



are such 



(65) 



\x y ... y J 

where the normalization condition implies v 2 + 2{d — 
l)x 2 + (d — l) 2 y 2 = 1. For the d + 1-bases protocol, 
which is more symmetric, one also has x = y. 

The fidelity, that is, the probability that Alice and Bob 
obtain the same outcome, is 



F 



d-l 

E 

k=0 



(kk\p A B\kk) =v 2 + {d-l)x 2 



for all the bases used in the protocol. The errors dis- 
tribute in a symmetric way, Dj = (1 — F)/(d — 1) for all 
j ^ 0. For the d + 1-bases protocol, and since we have 
the extra constraint x = y, the coefficients c m , n read 



co,o 



'(d + l)F- 1 



/ l-F 
d(d-l) 



for m, n =/= 0. 



(66) 



In the 2-bases protocol, y is a free parameter that can 
be optimized for each value of the error rate, D, and 
depending on the reconciliation protocol. For instance, if 
Eve's goal is to optimize her classical mutual information, 
the optimal interaction (1 — > 1 + 1 cloning machine) gives 
(see |ig for more details) 



co,o = F 



F(l - F) 
Co.n = \/ ; ; — for m(n) ^ 



1 - F 
d- 1 



d-l 
for m,n =/= 0. 



(67) 



In a similar way as in the qubit case, this choice of coef- 
ficients is not optimal when considering two-way recon- 
ciliation protocols, as shown in the next lines. 



A. Security bounds 

Having introduced the details of the protocols for arbi- 
trary d, we only have to substitute the expression of the 
coefficients into the derived security condition. Because 
of the symmetries of the problem, all disturbances Dj 
and overlaps (e mjlri |eo,o) are equal, which means that the 
security condition simply reads 



|(e m , m |e , )| 2 > 



D 



(d-l)F 



(68) 



After patient algebra, one obtains the following security 
bounds: 

1. For (d + l)-bases protocol, positive key rate is pos- 
sible if 



D < 



(d- l)(2d+l - V5) 



2(d 2 



1) 



(69) 



The critical QBER for the 6-state protocol, 27.6%, 
is easily recovered by taking d = 2. Recently, Chau 
has derived a general security proof for the same 
protocols in Ref. jijj- Our critical values are the 
same as in his work. 

2. For the 2-bases protocol, the critical disturbances 
D are 



D < 



(d-l)(4d-l- V4rf+1) 
2d(4d - 3) 



(70) 



The optimal attack, in the sense of minimizing the 
critical error rate, is always obtained for y = 0, see 
(jnnj. The critical QBER for the BB84 protocol is 
recovered when d = 2. These values coincide with 
those obtained in |4lJ for 2-bases protocols. 

Once again, there exists a gap between this security 
condition and the entanglement limit. For instance, in 
the case of d + 1-bases protocols, the entanglement limit 
coincides with the security condition against individual 
attacks (43j 



|(efc,fc|ez,z)| > 



D 



(d-l)F' 



which looks very similar to (|68|l . Thus, there exists again 
weakly entangling channel where we are unable to estab- 
lish a secure key using a prepare and measure scheme. 



B. Proof of tightness 

Finally, for these protocols, and because of the sym- 
metries, we are able to prove the tightness of the derived 
security condition, under the considered reconciliation 
techniques. The goal is to show that the probability dis- 
tribution P(sa,sb, (sai se)), resulting from the attack 
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General security 



Distillable entanglement 
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FIG. 9: Comparison of the security bounds and the entan- 
glement condition. The security condition against collective 
attacks requires stronger correlation than the entanglement 
limit. Again, there may exist some entangled states that are 
useless for key distillation with the considered techniques. 



described in section IVII Bl cannot be distilled using one- 
way communication from Alice to Bob (the same can be 
proven if the communication goes from Bob to Alice by 
reversing the role of these parties). 

In order to do that, we proceed as in the case of qubits. 
Alice-Bob's probability distribution is very simple: with 
probability F their symbols agree, with probability Dj = 
D/(d-l) they differ by j. After CAD on blocks of N 
symbols, the new fidelity between Alice and Bob is 



F 



F 



N 



N 



F N + {d _ 1) (_D_ 



N ' 



(71) 



One can see that, again, Eve's error probability in guess- 
ing Alice's symbol is larger when there are no errors be- 
tween the honest parties. As in the qubit case, Eve wors- 
ens her guesses by adding randomness in all these cases 
and forgets Te- After this process, she guesses correctly 
Alice's symbol with probability, see Eq. (|60fl . 



Tjsuccess 
cq 



(TV) 




1 + (<*-!) 



F 



N 



+ (d-lWl + 



F 



N 



(72) 



independently of Bob's symbols. Here we used the fact 
that (e TO)TO |eo,o) = (v—x)/F whenm ^ for the analyzed 
protocols. 

After Eve's transformation, the one-way distillabil- 
ity properties of the final tripartite probability distribu- 
tion are simply governed by the errors, as in the qubit 
case. Thus, we want to prove that at the point where 
the security condition is no longer satisfied, i.e. when 
((v-x)/F) 2 =D/((d-l)F), one has 
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for any block size N. Define t 2 — D/((d — 1)F), where 
< t < 1 because F > 1/D. What we want to prove can 
also be written as, see Eqs. Ij71|) and l|72|l . 



y/l + (d- l)t N + (d - l)VT+W 



> 



1 



\ + {d-l)t 2N ' 
(74) 



for all N and all d, where < t < 1 . Actually, using that 
< t < 1, it suffices to prove the case N = 1, since all the 
remaining cases will follow by replacing t N — > t and using 
the condition for N = 1. After patient algebra, one can 
show that (|74|l is satisfied for N = 1, which finishes the 
proof. Therefore, for the considered protocols, the attack 
introduced above breaks the security whenever our secu- 
rity condition does not hold. Therefore, this condition is 
tight for the considered reconciliation techniques. 



IX. CONCLUSION 

This works provides a general formalism for the secu- 
rity analysis of prepare and measure schemes, using stan- 
dard advantage distillation followed by one-way commu- 
nication techniques. The main tools used in this formal- 
ism are the de Finetti argument introduced by Rcnncr 
and known bounds on the key rate. We derive a sim- 
ple sufficient condition for general security in the impor- 
tant case of qubit Pauli channels. By providing a spe- 
cific attack, we prove that the derived condition is tight. 
When applied to standard protocols, such as BB84 and 
six-state, our condition gives the critical error rates pre- 
viously obtained by Chau. Since our condition is tight, 
these critical error rates cannot be improved unless an- 
other reconciliation technique is employed. Here, most 
of our analysis focus on conditions for security However, 
the same techniques can be used to compute key rates. 
Actually, our results imply that the critical error rates of 
20% ad 27.6% for the BB84 and six-state protocols can 
be reached without any pre-processing by Alice, contrary 
to previous derivations by Chau [3(j or Renner . The 
rates we obtain, then, are significantly larger. We then 
extend the analysis to arbitrary dimension and gener- 
alized Bell diagonal states. The corresponding security 
condition can be applied to obtain critical error rates for 
the 2- and d + 1-bases protocols. For these protocols, we 
can also prove the tightness of the condition. 

We explore several possibilities to improve the ob- 
tained security bounds. As shown here, pre-processing 
by Alice or a coherent version of distillation by Bob do 
not provide any improvement. This is of course far from 
being an exhaustive analysis of all possibilities, but it sug- 
gests that it may be hard, if not impossible, to get the 
entanglement limit by a prepare and measure scheme. In 
our opinion, this is the main open question that naturally 
follows from our analysis. The easiest way of illustrating 
this problem is by considering the simple qubit depolar- 
izing channel of depolarizing probability 1 — p. This is a 
channel where the input state is unchanged with proba- 
bility p and map into completely depolarized noise with 
probability 1—p. The corresponding state is a two-qubit 
Werner state. When p — 1/3, the channel is entangle- 
ment breaking, that is, it does not allow to distribute 
entanglement, so it is useless for any form of QKD. As 
shown here, the same channel can be used to QKD using 
a prepare and measure scheme when p > \J\f%. Triv- 
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ially, the entanglement limit can be reached if one allows 
coherent protocols by the two parties, such as entangle- 
ment distillation. However, is there a prepare and mea- 
sure scheme with positive key rate for 1/3 < p < 
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Appendix I. Cloning Based Attacks 

Asymmetric cloning machines have been proven to be a 
useful tool in the study of optimal eavesdropping attacks. 
In a cryptographic scenario, the input state to the cloning 
machine is the one sent by Alice, while one of the outputs 
is forwarded by Eve to Bob, keeping the rest of the output 
state. For instance, in the BB84 case, where Alice uses 
states from the x and z bases, the optimal eavesdropping 
attack is done by a 1 — > 1 + 1 phase-covariant cloning 
machine |44| that clones the xz equator. The output 
states for Bob and Eve are 



1 



PE 



-(I + ri z {n^a x + nfa z ) + r^n^a v ), 



where rji are usually called the shrinking factors. 

In the entanglement picture, this attack corresponds 
to the Bell diagonal state 

Pab = Ai[$i] + A[$ 2 ] + A[$ 3 ] + A 4 [$ 4 ]. 

Here A2 = A3 = A, which implies that the error rate 
is the same in both bases. The normalization condition 
is Ai + 2 A + A4 = 1. When compared to the cloning 
machine, the shrinking factor are rj^ z — Ai — A4 and 
= 2VA(VAT + \/A7). Note that = 1 - 4A + 4A 4 



and rtf = 2(A + - 2A - A 4 )). 

In the case of using one-way communication distillation 
protocols, Eve's goal is to maximize, for a given QBER, 
her Holevo information with Alice (see Eq. Q). The 
optimal coefficients, or cloning attack, are Ai = (1 — 
Q) 2 , X = Q-Q 2 , and A 4 = Q 4 , where Q is the QBER. 
When considering two-way communication protocols, as 
in this work, the security condition is given in Sec. IIV AI 
According to this condition, the optimal coefficients are 
Ai = 1 - 2Q, A = Q, and A 4 = 0. 



Appendix II. Eve's information in the case of 
pre-processing 

In this appendix, we show how to compute Eve's in- 
formation in the case Alice applies pre-processing before 
the CAD protocol, for large blocks. In this limit, Eve is 
faced with two possibilities, pf^ and pf ^ , that read 



p ,o = u[e ,o] + v[eo,i] 
Pi,i = u[ex,i] + v[e 10 ] 



(75) 



Indeed, if N ^> 1, there are almost no errors in the sym- 
bols accepted by Alice and Bob. Eve's Holevo bound 
then reads 



X (A:E)nS(a E )-Nh(u), 



(76) 



where we used the fact that Sipfj?) = S(pf^) = Nh(u). 

The main problem, then, consists of the diagonaliza- 
tion of oe- Note however that the states po^ and p\ y \ 
have rank two and their eigenvectors belong to different 
two-dimensional subspaces. This implies that ge decom- 
poses into two-dimensional subspaces that can be easily 
diagonalized. The corresponding eigenvalues are 



A r = u r v 



1 ± |(e ,o|ei,i)ri(eo,il e i,o! 



|JV-r 



(77) 



for r = 0, . . . , N, with degeneracy N\/(r\(N — r)\). Re- 
placing these eigenvalues into the von Neumann entropy, 
one gets 

S(a E ) = Nh(u) + J2 uT v N ~ r 
h p + |(eo,o|e M )r|(e 04 |e M )r-^ ^ (?g) 



For large N and nonzero u, the only relevant terms in the 
previous sum are such that |(eo,o|ei,i)| r |(eo,i|ei i o)| JV ~ r <§C 
1. One can then approximate h((l + x)/2) w 1 — x 2 / In 4, 
having 



(w|{e ,o|ei,i)| 2 +f|(eo,i|ei i0 )| 2 ) 



2\N 



In 4 



S{a E ) ~ Nh(u) + 1 

I ! I -I 

(79) 

where we used the binomial expansion. Collecting all the 
terms, Eve's information reads 

x fA:E)*l H^ol^P + ^Keo.ileLo)! 2 )^ ^ 

In 4 



Appendix III. Properties of geometrically uniform 
states 

A set of d quantum states {iV'o): —j h/'d-i)} is s& id to 
be geometrically uniform if there is a unitary operator 
U that transforms into iV'j+i) f° r au 3i where the 
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indices read modulo d. All sets of geometrically uni- 
form states, if the cardinality is the same, are isomorphic. 
Therefore, we do not lose any generality when assuming 
that those states are of the form: 

d-x 

\*p a ) = ^c n e™ na \x n ) 

71=0 

where a runs from to d — 1 and \x n ) are orthonormal 
basis. Each state \ip a ) translates to \ij) a -\.p) by applying 

/3 times the unitary U — Ylm=o e 2 ^ Lm \x m ){x rn \- These 
states satisfy the following properties, that are used in 
our computations: 

• Given a set of geometrically uniform states 
{\ipa), ...,\ipd-i)}, an orthonormal basis spanning 
the support of those states can explicitly obtained 
as follows: 

K) = -^Y, e ~^ na \^- ( 81 ) 

n a 

• The uniform mixture of geometrically uniform 
states gives the orthogonal decomposition in the 
basis defined above {|x n )}: 

P = ^^IV'aXV'al =^2cl\ x n)(Xn\- 

a n 

Therefore, the eigenvalues of the equal mixture of geo- 
metrically uniform state are c 2 . Using |(STJ, these eigen- 
values can be written as: 

a,/3 

In our case, we are interested in the eigenvalues of the 
state 

P=i£|e Q )(e a r, 

a 

which approximates Eve's state after CAD in the limit of 
large N. The states \e a )® N are geometrically uniform, 
so the searched eigenvalues are: 

Appendix IV. Square-Root Measurement(SRM) 

We describe the so-called square-root measurement 
along the lines given in Ref. Suppose that Alice 

encodes a classical random variable i that can take / dif- 
ferent values into a quantum state G C , with I < d, 
and sends the state to Bob. Suppose the I states are 



non-orthogonal and span an m dimensional subspace of 
<C d . Denote by H m the projection into this subspace, 
i.e. H m \4>i) = \<j>i) for all i. Bob has to read out the 
encoded value from the quantum state in an "optimal" 
way. There exist several "optimal" measurements de- 
pending on the figure of merit to be optimized. Here, 
following we consider that Bob applies a measure- 
ment consisting of I rank-one operators [mj, satisfying 
y~]- [mi] = H m . The figure of merit to be optimized is the 

squared error E = Y^iZo(Ei\Ei) , where \Ei) = \<j>i) -\m,i) 
are the error vectors. As shown in |46|. the measurement 
strategy minimizing E is the so-called SRM, also known 
as pretty-good measurement. The construction of this 
optimal measurement works as follows. 

Denoted by $ the matrix whose columns are \4>i)- The 
SRM is constructed from the structure of the matrix $. 
Applying singular value decomposition to $ = UDV^, 
the optimal measurement matrix is |46j | 

M = J2Wi)(vi\ 

i 

where \ui) and \vi) are the column vectors of the two 
unitary matrices U and V, respectively. Here the column 
vectors of M define the optimal choice of measurement 
projectors \rrii). 

Moving to our cryptography problem, the states Eve 
has to discriminate are the geometrically uniform states 

\e 1 ) = Y^Pne 2nMd) \x n ) 

71=0 

where \x n ) is an orthonormal basis in a d-dimensional 
Hilbert space, and *y runs from to d — 1. Each |6 7 ) 
is normalized. In our problem, Eve aims at minimiz- 
ing her error probability. Interestingly, in the case of 
geometrically uniform state, the previous measurement 
strategy turns out to minimize the error probability as 
well |46(. So, we only have to derive the optimal mea- 
surement matrix from <E> = |e 7 )(x 7 |. Using relations 
<I>t<j> = VDV\ the unitary V is the d-dimensional Fourier 
transform T\x u ) — J2 W ex P( — ^wu^Xw), and the 

diagonal matrix is D = diag{^fd\f3 n \) . Therefore, the 
optimal measurement matrix is 

M = ^2\m i )(x l \ 

i 

where 

^ d-l 
^ d fc=0 

Using this measurement, the probability of guessing 
correctly a given state |e 3 -) is |(mj|e.,)| 2 . Then, the aver- 
age success probability is 

psuccess = Y^ p{j) \( mj \ ej )\ 2 = ^|$>| 2 (83) 
j=0 n 
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The last equality is obtained taking into account that all 
\ej) are equally probable, p(J) = 1/d. In particular, for 
the d + 1- or 2-bases protocols 
reads, in terms of v and z, p success 



the success probability 
(v + (d-l)z) 2 /dF. 



When N copies of the states are given, \ej 



we can 



apply a collective measurement strategy. The SRM is 
constructed in the same way as above, and the success 
probability, assuming that all states are equi-probable, is 



P 



success 



N 



d 2 



,27ri(r]m/d) / 
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(84) 
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